MICROCOPY  RISOLU1ION  US!  CHAR! 


FEDERAL  AND  STATE  REGULATIONS  CONCERNING  THE 


PRIVACY  OF  HEALTH  CARE  DATA 


The  Rand  Paper  Series 

Papers  are  issued  by  The  Rand  Corporation  as  a service  to  its  professional  staff. 
Their  purpose  is  to  facilitate  the  exchange  of  ideas  among  those  who  share  the 
author's  research  interests;  Papers  are  not  reports  prepared  in  fulfillment  of 
Rand's  contracts  or  grants.  Views  expressed  in  a Paper  are  the  author's  own,  and 
are  not  necessarily  shared  by  Rand  or  its  research  sponsors. 

The  Rand  Corporation 
Santa  Monica,  California  90406 


i 


1 


FEDERAL  AND  STATE  REGULATIONS  CONCERNING  THE 
PRIVACY  OF  HEALTH  CARE  DATA  * 


While  my  topic  concerns  federal  and  state  regulations  concerning 
the  privacy  of  health  care  data,  I want  to  take  license  with  it  and  speak 
to  the  intent  rather  than  the  letter  of  the  title.  To  give  some  overview 
to  the  subject,  the  American  Hospital  Association  testified  before  the 
Privacy  Protection  Study  Commission  that  in  1974  some  7,100  of  its  mem- 
bers created  records  on  roughly  35  million  inpatient  admissions,  71  mil- 
lion emergency  room  visits,  and  108  million  clinic  visits.  That  repre- 
sents something  over  200  million  hospital  visits  and  therefore  hospital 
records,  approximately  one  visit  for  each  person  in  the  country.  It 
gives  a sense  of  the  magnitude  of  the  health  care  business;  the  numbers 
are  large.  As  large  as  they  are,  they  are  only  a small  part  of  a much 
bigger  demand  that  is  growing  for  information  as  we,  a large  country 
with  a large  population,  lead  increasingly  complex  lives  and  surround 
ourselves  by  increasingly  large  government  programs,  all  of  which  have 
to  be  accountable. 

The  first  order  of  business  is  to  define  terms.  Confidentiality, 
privacy  and  security  are  three  words  with  close  links,  but  with  some- 
what different  meanings.  Confidentiality  is  a status  that  is  accorded 
to  data  indicating  that  for  some  reason  it  is  sensitive  and  needs  spe- 
cial protection.  By  implication,  there  is  control  over  dissemination; 
were  it  to  be  freely  available  to  anyone,  then  obviously  it  could  not 
have  special  status.  Arguing  in  reverse,  it  follows  that  the  special  sta- 
tus of  confidentiality  implies  control  of  dissemination,  and  control  of 
use.  Sometimes  the  control  is  assured  by  law  but  frequently  not. 

Privacy  is  the  social  expectation  that  an  individual  will  have  some 
control  over  the  use  of  information  about  himself.  It  is  the  social  ex- 
pectation that  decisions  made  about  an  individual  and  involving  records 
will  be  fair  ones.  Finally  it  is  the  social  expectation  that  the  in- 
dividual will  be  protected  against  excessive  or  obtrusive  collection. 


•k 

A talk  presented  at  a symposium  sponsored  by  the  University  of  Cali- 
fornia, Los  Angeles  on  November  5,  1976. 


j _o . _ * 


I 


Security  is  the  set  of  safeguards  put  into  a record-keeping  system 
that  accomplishes  three  things.  First,  the  safeguards  protect  the  sys- 
tem per  se,  its  equipment  if  computerized,  its  data,  its  people,  and  its 
facilities  against  damage  from  some  threat.  Secondly,  the  safeguards  as- 
sure the  owner  of  the  system  that  it  will  not  be  denied  to  him.  One 
does  not  want  dissident  groups  capturing  essential  data  systems  that  sup- 
port important  societal  functions.  Finally,  security  safeguards  assure 
that  information  is  divulged  only  to  authorized  recipients.  By  implica- 
tion, the  safeguards  assure  that  it  is  not  divulged  to  unauthorized 
recipients. 

The  real  subject  for  discussion  is  not  privacy  of  health  care  records, 
but  rather  the  confidentiality  of  the  health  care  records  with  an  overlay 
of  privacy  as  it  relates  to  emerging  social  expectations.  There  are  sev- 
eral parts  to  the  matter,  so  first  I will  give  a quick  summary  of  affairs 
at  the  state  level.  The  source  of  my  information  is  an  appendix  from  a 
January  1973  report  of  the  Secretary's  Commission  on  Medical  Malpractice. 

A January  1973  date  implies  that  it  is  1972  data;  therefore,  it  is  roughly 
four  years  old,  but  I think  that  the  general  pattern  and  the  general  pic- 
ture will  be  correct.  In  general.  State  regulations  or  state  laws  are 
frequently  completely  silent  on  rights  of  access  or  legal  status  of  rec- 
ords; nothing  is  said.  Secondly,  the  question  of  ownership  of  the  records 
is  almost  never  discussed;  the  California  law  in  regard  to  hospital  records 
is  a rare  event.  Third,  whatever  coverage  there  is  in  whichever  states 
have  it,  is  very  uneven  in  its  completeness  and  is  quite  variable.  Some- 
times the  coverage,  applies  only  to  public  institutions  and  sometimes  it 
applies  as  well  to  private  institutions.  The  data  indicates  that  of  the 
50  states,  plus  the  District  of  Columbia,  37  are  absolutely  silent  on 
aspects  of  protection  or  access  to  health  care  records.  There  are  9 that 
provide  some  kind  of  regulation  through  boards  of  health  or  corresponding 
entities;  there  are  3 that  provide  some  kind  of  regulations  through  hos- 
pital organizations.  There  are  only  2 that  have  some  legal  status  es- 
tablished, one  of  them  by  common  law  and  one  through  its  established 
rules  of  procedure. 

To  summarize  in  another  dimension,  37  are  silent  on  subject  access 
to  the  records,  although  other  access  may  be  covered.  Of  the  14  that 


1 


have  some  provision  for  subject  access,  9 provide  access  by  explicit  law 
and  one  by  case  law.  When  there  is  subject  access,  sometimes  it  is  only 
through  his  treating  physician  as  a channel;  sometimes  it  is  through  his 
treating  physician's  consent;  sometimes  the  subject  gets  the  record  only 
after  discharge  from  the  hospital;  sometimes  the  subject  is  given  direct 
property  rights  in  law  and  in  one  instance,  the  subject  has  legal,  un- 
deniable right  and  interest  in  law  but  he  may  have  to  go  to  the  courts 
to  exercise  that  right.  It  is  very  variable  across  the  states. 

With  respect  to  access  to  health  records  by  a subject's  attorney, 

43  of  the  states  are  absolutely  silent;  8 have  some  provision,  6 by  law 
and  one  by  regulation;  one,  simply  because  it  grew  up  as  a practice. 
Sometimes  in  those  that  try  to  control  it,  patient  consent  is  required, 
frequently  not.  With  regard  to  access  by  third  parties  other  than  a 
patient's  attorney,  18  states  say  nothing,  and  33  have  some  provision. 
Sometimes  provision  may  oe  a court  order  or  a subpoena;  sometimes  access 
by  a third  party  may  require  the  consent  of  the  hospital  or  of  the  physi- 
cian or  of  the  patient  or  some  combination  of  them;  sometimes  access  is 
given  to  insurance  companies  and  sometimes  to  . aw  enforcement  agencies 
and  sometimes  to  boards  of  health  and  sometimes  to  "any  interested  per- 
sons" with  a legitimate  interest.  Sometimes  access  is  to  a patient  rep- 
resentative; sometimes,  to  any  authorized  hospital  personnel;  sometimes, 
to  "government  agencies";  sometimes,  to  licensing  agencies.  The  matter  is 
extremely  variable.  Only  in  vary  rare  instances  is  anything  said  about 
the  confidential  status  of  health  care  records  at  the  state  level;  in 
such  instances,  patient  consent  is  required  for  access. 

The  word  "confidential"  just  does  not  arise  except  in  very  few  states, 
but  the  fact  that  at  least  some  of  the  states  attempt  to  impose  access 
controls  implies  that  confidentiality  is  intended  although  not  stated  as 
such.  Do  keep  in  mind  that  37  states  say  nothing  about  the  whole  subject. 

Mental  health  records  get  special  treatment  in  most  states,  but  of 
the  51  governmental  entities,  27  are  silent  on  mental  health  records; 

24  make  some  provision,  5 states  explicitly.  Five  of  the  24  explicitly 
define  mental  health  records  as  confidential.  In  other  cases,  access  may 
require  consent  of  the  patient;  it  may  require  a court  order;  access  can 
be  available  to  boards  of  trustees  of  institutions,  to  attorneys,  or  to 


L 


- 4 - 

physicians.  Sometimes  access  is  at  the  discretion  of  the  management  of 
the  facility.  In  a few  states,  access  is  explicitly  prohibited  without 
patient  consent  or  without  court  order.  Since  there  is  some  attempt  by 
the  state  to  limit  access,  by  inference  there  is  an  implied  status  of 
confidentiality. 

From  a different  point  of  view,  information  maintained  by  state- 
administered  or  state-supported  hospitals  is  of  special  concern  because 
such  facilities  may  find  themselves  under  the  cognizance  of  one  of  the  so- 
called  "sunshine  acts."  A Freedom  of  Information  Act,  or  a Public  Records 
Act  seeks  to  make  the  records  of  all  public  institutions  publicly  avail- 
able. From  this  perspective  and  using  again  the  same  source  of  data,  15 
of  the  states  specifically  exempt  health  care  records  from  whatever  act 
each  might  have  that  gives  public  access.  Five  others  exempt  records 
only  if  otherwise  confidential;  so  it  takes  a second  law  to  establish  a 
health  care  record  as  confidential  if  in  one  of  the  5 states  it  is  to  be 
exempted  from  public  access.  It  so  happens  that  all  fi\/e  have  a physician- 
patient  privilege  statute  that  presumably  would  establish  a confidentiality 
requirement.  Some  states  exempt  only  certain  aspects  of  health  care  rec- 
ords from  public  access.  Slightly  over  half  of  the  states  say  absolutely 
nothing  about  the  matter  and  presumably  any  legal  test  in  one  of  them 
would  get  health  information  into  public  view. 

Whatever  arrangements  happen  to  exist,  terminology  is  widely  variable; 
it  is  quite  uncertain  just  what  record  content  is  protected.  Sometimes  a 
law  or  a regulation  speaks  of  hospital  records;  sometimes,  clinical  rec- 
ords; sometimes,  medical  records;  sometimes,  medical,  psychological  or 
sociological  data;  sometimes,  public  hospital  records;  sometimes,  vital 
records.  Sometimes,  a law  or  regulation  refers  to  people  receiving  public 
medical  assistance;  sometimes,  to  identity  of  people  required  to  report 
for  public  health  reasons.  Sometimes,  there  are  exemptions  to  the  other- 
wise existing  controls,  for  example  the  records  of  a deceased  person. 

Other  times,  the  exemption  from  access-control  references  a criminal  act 
or  an  insurance-compensatable  event.  Overall,  there  is  much  health  care 
information  available  for  public  inspection  and  with  essentially  no  con- 
trol over  access  to  it — it  is  there  for  the  taking.  The  state  scene  on 
the  whole  is  widely  variable,  and  it  is  not  always  clear  just  what  the 


>1 


I 


■ 


5 - 


circumstance  would  be  without  a legal  test. 

With  regard  to  the  final  aspect  of  the  situation,  43  states  have  some 
physician-patient  privilege  laws,  but  in  6 of  the  43,  that  privilege  is 
limited  to  psychiatric  records.  Generally  such  statues  apply  to  any  in- 
stitution; and  therefore,  such  physician-patient  privilege  laws  would 
presumably  protect,  at  least  in  part,  access  to  records  in  hospitals. 
However,  the  details  are  widely  variable;  there  is  no  way  to  summarize 
it  in  an  orderly  way.  It  amounts  to  a potpourri  of  laws,  regulations 
and  case  law. 

At  the  federal  level,  the  situation  is  quite  different.  While  there 
is  a federal  Freedom-of-Inf ormation  Act,  it  has  a number  of  exemptions  • 
health  records  is  one  of  them.  Under  the  federal  FOIA,  health  records  au 
not  available  except  to  the  data  subject  or  the  patient  himself.  Drug 
abuse  and  alcoholism  information  receive  special  treatment  because  the 
legislation  that  created  these  national  efforts  specifically  provides 
that  it  will  be  treated  as  confidential,  although  the  authority  for  es- 
tablishing the  protected  status  of  confidentiality  is  not  absolute  and 
written  into  law,  but  rather  is  given  to  the  Secretary  of  Health,  Educa- 
tion, and  Welfare.  Whatever  rules  he  choses  to  establish  governs  how 
drug  abuse  and  alcoholism  information  is  used  and  protected.  In  the  case 
of  the  National  Center  for  Health  Statistics,  the  law  prescribes  the  per- 
missible uses  of  tne  data  collected,  prohibits  other  use,  specifies  how 
it  shall  be  published,  and  establishes  immunity  from  judicial  seizure. 

There  is  an  option  for  the  Secretary  (DHEW)  to  establish  new  uses  under 
his  authority,  but  none  have  been.  It  is  interesting  to  note  that  in 
the  special  two  categories  noted,  whatever  protection  the  health  infor- 
mation has  results  from  the  formal  rule  making  process  of  the  federal 
government  in  contrast  to  the  situation  for  census  data  for  which  the 
law  specifies  that  the  data  will  be  confidential  and  speaks  to  its  pro- 
tection. Because  of  the  variability  of  the  language  and  the  structural  de- 
tails of  the  various  laws,  it  is  hard  to  say  what  the  precise  bounds  of 
confidentiality  are,  even  for  the  three  special  classes  of  information. 

It  is  hard  to  say  in  a general  way  what  permissions  are  required  to  access 
it. 

Finally,  there  is  the  now  well-known  Privacy  Act  of  1974  at  the  fed- 
eral level.  There  is  no  easy  way  to  give  a summary  of  its  consequences 


because  much  of  the  action  is  still  playing  out.  The  Act  has  been  in  op- 
eration for  only  a year;  not  all  of  its  consequences  are  yet  visible.  In 
a broad  way,  that  Act  requires  Federal  agencies  to  publish  an  annual  no- 
tice that  describes  all  record  systems,  states  what  the  subject  matter 
in  each  system  is  and  how  it  is  used,  describes  the  data  sources,  etc. 

The  Act  gives  each  of  us  as  individuals  in  this  country,  rights  to  in- 
spect records,  to  contest  them,  and  to  cause  them  to  be  corrected  if 
found  in  error.  As  part  of  the  public  notice,  each  record  system  is 
required  to  describe  what  is  called  "routine  use" — an  effort  to  detail 
and  control  the  way  that  information  can  be  used.  In  part  it  reflects  an 
effort  to  give  back  to  the  individual  some  control  over  the  use  of  infor- 
mation about  him.  One  can  buy  from  the  Office  of  Federal  Register  a 
"telephone  book"  that  lists  some  8,000  record  systems  of  the  federal 
government.  In  it  one  can  find  health  care — or  other — record  systems 
that  might  be  of  interest,  go  to  such  agencies  and  ask  to  see  records 
that  each  might  have  about  him.  in  this  sense  there  is  parallelism  be- 
tween the  Freedom-of-Information  Act  and  the  Privacy  Act;  each  gives  the 

subject  access  to  medical  records,  but  it  so  happens  that  the  Privacy 
Act  works  more  smoothly,  and  provides  more  direct  access. 

A very  significant  aspect  of  the  Act  is  the  creation  of  a national 
forum  in  which  privacy  matters  are  being  investigated  in  a very  broad  way. 
During  the  Congressional  debate  that  led  to  the  Act,  one  view  held  that 
it  should  apply  to  all  record  systems  in  the  country  but  another  held  that 

it  should  apply  only  to  those  of  Federal  government.  In  working  out  the 

conflict,  a part  of  the  compromise  position  was  to  create  a Privacy  Pro- 
tection Study  Commission  to  examine  the  part  of  the  problem  that  had  been 
temporarily  deferred. 

The  tasks  before  the  Commission  are  lengthy,  but  the  item  of  in- 
terest for  this  discussion  is  that  of  medical  records  or  health  records — 
obviously  a sensitive  area.  The  Commission  is  looking  at  the  whole 
situation  from  both  the  public  and  the  private  sector  point  of  view.  It 
has  held  a series  of  hearings,  some  of  them  in  bos  Angeles  and  some  in 
Washington,  to  establish  an  understanding  of  record-keeping  processes  for 
health  care  records  in  public  and  private  institutions.  Quite  aside 
from  the  use  of  such  records  for  patient  care,  the  Commission  has 


- 7 - 


developed  Insights  into  the  use  of  the  records  by  such  diverse  groups  as 
consumer  reporting  companies,  employers,  credit  grantors,  insurance  com- 
panies, third  party  payors,  and  even  educational  institutions.  Many  uses 
are  for  purposes  quite  tangential  to  the  reason  for  originally  creating 
the  health  record.  There  is  substantial  testimony  indicating  that  con- 
fidentiality, when  and  where  and  if  it  happens  to  exist,  has  been  sub- 
verted in  surprising  ways.  The  most  startling  one  that  has  come  to  light 
is  the  so-called  Factual  Services  case  in  which  a company  specialized  in 
acquiring  medical  records  from  hospitals  and  other  sources  for  insurance 
claim  settlements.  The  company  engaged  in  such  questionable  tactics  as 
sending  an  employee  to  a hospital  dressed  as  a physician  or  as  a clergy 
to  seek  information  and/or  "acquire"  a record.  Alternatively,  an  employee 
would  phone  a hospital  at  off  hours  and  posing  as  a physician,  would 
seek  and  obtain  information  about  some  individual.  The  situation  has 
been  documented  widely  in  public  records  and  the  press;  legal  action  is 
now  pending. 

On  the  basis  of  such  happenings,  and  on  the  basis  of  what  I have 
observed  personally  from  hospital  visits,  I am  convinced  that  hospitals 
will  have  to  establish  much  better  controls  over  access  to  records. 

Hospitals  will  have  to  make  a self-assessment  of  the  threat  against  the 
health  care  records  and  then  will  have  to  take  conscious  steps  to  create 
safeguards  to  counter  whatever  threat  it:  perceived  to  exist;  hospitals 
will  have  to  assure  that  health  records  are  available  only  to  authorized 
users.  Hospitals  will  have  to  take  affirmative  steps  to  train  personnel  and 
to  focus  management  attention  on  an  area  of  increasing  importance.  Why? 
Medical  records  as  a source  of  information  about  people  have  suddenly 
been  discovered  as  very  important  to  a whole  host  of  collateral  ques- 
tions that  have  nothing  to  do  with  health  care,  but  rather  have  to  do 
with  settlement  of  insurance  claims,  getting  a job,  granting  credit,  or 
some  other  thing.  There  is  an  interesting  anomaly  to  the  whole  story. 
Someplace  out  on  the  edge  of  the  whole  thing  is  the  patient  and  the  ques- 
tion of  his  access  to  health  records.  It  would  almost  seem  that  he  is 
the  only  person  who  cannot  get  them.  That  would  appear  to  be  especially 
true  given  the  very  broad  and  general  consent  form  that  is  at  the  bottom 
of  every  insurance  application. 


8 


As  a Commission  we  have  very  difficult  and  complex  issues  to  face 
with  regard  to  health  records.  Among  them  are:  Should  the  patient 
have  access  to  records?  Should  this  access  include  the  ability  to  cor- 
rect a record  if  the  patient  believes  it  is  wrong  or  can  demonstrate 
that  it  is  wrong?  Should  there  be  some  absolute  right  of  access  if  a 
patient  record  is  disclosed  to  a third  party,  as  opposed  to  being  used 
for  health  care?  What  procedure  should  be  used  to  prevent  authorized 
disclosure  of  medical  record  information:  What  rules  should  apply  to 

the  researcher's  access  to  medical  records?  What  problems  are  likely 
to  arise  under  a system  of  medical  health  insurance?  The  issues  are 
tough  ones,  in  part  because  in  the  last  10  years  or  so,  an  individual's 
medical  record  has  become  an  important  document,  both  to  himself  and  to 
the  entire  community  of  record  systems  with  which  he  must  interact. 

While  there  are  health  professionals  who  believe  for  good  reason  that 
the  individual  should  not  have  access  to  his  records,  there  are  arguments 
on  the  other  side  as  well.  The  issue  will  be  very  difficult  to  adjudicate. 

While  we  have  a lot  to  do,  the  Commission  deadline  is  June  1977. 

Our  goal  with  respect  to  health  records  is  to  document  what  the  practices 
are  in  health  care  record-keeping,  and  what  the  information  is  used  for  and 
how;  and  second,  to  report  to  Congress  and  to  the  President  recommenda- 
tions that  will  assure  adherence  to  fair  information  practices  among 
health  care  providers  and  institutions,  and  other  parties  that  use  such 
records.  As  a Commission,  we  are  attentive  to  the  view  that  it  is  neither 
desirable  nor  feasible  to  extend  the  broad  principles  of  the  Federal  privacy 
act  to  the  public  and  private  institutions  that  provide  health  care.  On 
the  other  hand,  we  must  weigh  both  sides  of  the  case  and  come  to  our  own 
decision.  We  will  have  to  reach  our  own  judgements  of  feasibility  and 
costs;  we  have  to  determine  whether  legislation  is  even  needed — and  if 
so,  what  kind.  It  is  clear  that  confidentiality  safeguards  can  be 
breached  if  someone  wants  to  badly  enough.  Based  on  what  we  have  heard, 
we  are  inclined  toward  the  view  at  the  moment  that  it  is  essential  there 
be  a national  policy  that  governs  the  circulation  and  use  of  health  record 
information.  Moreover,  given  the  broad  usage  that  health  care  information 
has  acquired,  it  also  appears  to  us  that  the  subject  of  a health  record 
should  have  some  form  of  access  to  it.  Perhaps  the  access  should  include 


an  intervening  physician;  perhaps  it  should  be  direct  when  circumstances 
warrant.  Whatever  the  means,  how  and  when  should  the  data  subject  have 
some  right  to  access  to  his  health  information? 

It  is  clear  that  the  issues  posed  by  the  record-keeping  practices 
of  health  care  providers  will  not  be  easy  ones  to  solve.  It  is  clear 
that  it  is  very  easy  to  have  ideas  about  how  to  tighten  things,  but  also 
it  is  clear  that  it  is  very  easy  to  have  an  idea  with  serious  consequences 
in  terms  of  closing  information  sources  to  people  who  really  ought  to 
have  it,  in  terms  of  imposing  unnecessary  costs  on  record-keeping  prac- 
tices or  in  terms  of  making  record-keeping  practices  very  awkward  to 
conduct.  As  a Commission,  we  are  alert  to  the  several  aspects  and  it 
is  our  expectation  that  the  final  recommendations  will  satisf actorily 
address  the  delicate  confrontation  of  how  to  protect  individuals  against 
the  use  of  information  about  them  in  unauthorized  or  damaging  ways  vs. 
how  to  assure  that  health  care  information  is  made  available  as 
needed  for  socially  acceptable  purposes. 


